SharpHound icon indicating copy to clipboard operation
SharpHound copied to clipboard
verified publisher icon BloodHoundAD

WriteSPN not working

Open Fabrizzio53 opened this issue 1 year ago • 1 comments

I used this as collection method -c All,GPOLocalGroup,SPNTargets,LoggedOn, I have a user here which has WriteSPN on 2 computers, but for some reason sharphound does not find this.

Fabrizzio53 avatar Jun 11 '24 12:06 Fabrizzio53

I have the same problem, I found write rights over the servicePrincipalName of an user with bloodyAD but SharpHound doesn't find it. I confirmed the rights by performing TargetedKerberoasting successfully.

The user objectClass is: top;person;organizationalPerson;user

Following bloodyAD command and output:

$ bloodyAD --host dc.domain.local -u 'Username' -p 'Password' -d domain.local get writable --detail

distinguishedName: CN=RedactedName,OU=RedactedOrganizationalUnit,DC=domain,DC=local

msRTCSIP-AcpInfo: WRITE
msExchUCVoiceMailSettings: WRITE
msRTCSIP-UserPolicies: WRITE
msRTCSIP-TargetUserPolicies: WRITE
msRTCSIP-UserLocationProfile: WRITE
msRTCSIP-DeploymentLocator: WRITE
msRTCSIP-ApplicationOptions: WRITE
msRTCSIP-TenantId: WRITE
msRTCSIP-PrivateLine: WRITE
msRTCSIP-GroupingID: WRITE
msExchTUISpeed: WRITE
msExchTUIVolume: WRITE
msExchTUIPassword: WRITE
msExchVoiceMailboxID: WRITE
msRTCSIP-UserPolicy: WRITE
msRTCSIP-LineServer: WRITE
msRTCSIP-Line: WRITE
msRTCSIP-OptionFlags: WRITE
msRTCSIP-ArchivingEnabled: WRITE
msRTCSIP-InternetAccessEnabled: WRITE
msRTCSIP-FederationEnabled: WRITE
msRTCSIP-UserExtension: WRITE
msRTCSIP-PrimaryHomeServer: WRITE
msRTCSIP-OriginatorSid: WRITE
msRTCSIP-TargetHomeServer: WRITE
msRTCSIP-UserEnabled: WRITE
msExchOmaAdminExtendedSettings: WRITE
msExchOmaAdminWirelessEnable: WRITE
msExchQueryBaseDN: WRITE
dLMemDefault: WRITE
msExchRecipLimit: WRITE
msExchMailboxFolderSet: WRITE
msExchMailboxGuid: WRITE
mDBOverHardQuotaLimit: WRITE
msExchFBURL: WRITE
msExchControllingZone: WRITE
msExchResourceProperties: WRITE
msExchResourceGUID: WRITE
msExchIMAddress: WRITE
msExchIMVirtualServer: WRITE
msExchIMPhysicalURL: WRITE
msExchIMMetaPhysicalURL: WRITE
msExchIMACL: WRITE
msExchUserAccountControl: WRITE
msExchInconsistentState: WRITE
msExchPreviousAccountSid: WRITE
msExchUnmergedAttsPt: WRITE
msExchMasterAccountSid: WRITE
msExchMailboxSecurityDescriptor: WRITE
msExchHideFromAddressLists: WRITE
msExchUseOAB: WRITE
msExchADCGlobalNames: WRITE
msExchALObjectVersion: WRITE
replicationSignature: WRITE
msExchExpansionServerName: WRITE
unmergedAtts: WRITE
msExchHomeServerName: WRITE
msExchOriginatingForest: WRITE
msExchIMAPOWAURLPrefixOverride: WRITE
msExchPfRootUrl: WRITE
msExchMailboxUrl: WRITE
msExchPoliciesExcluded: WRITE
msExchPoliciesIncluded: WRITE
msExchCustomProxyAddresses: WRITE
msExchProxyCustomProxy: WRITE
msExchPolicyEnabled: WRITE
msExchPolicyOptionList: WRITE
thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
manager: WRITE
mail: WRITE
textEncodedORAddress: WRITE
userSMIMECertificate: WRITE
msExchRequireAuthToSendTo: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
msDS-cloudExtensionAttribute6: WRITE
msDS-cloudExtensionAttribute5: WRITE
msDS-cloudExtensionAttribute4: WRITE
msDS-cloudExtensionAttribute3: WRITE
msDS-cloudExtensionAttribute2: WRITE
msDS-cloudExtensionAttribute1: WRITE
msDS-GeoCoordinatesLongitude: WRITE
msDS-GeoCoordinatesLatitude: WRITE
msDS-GeoCoordinatesAltitude: WRITE
msPKI-CredentialRoamingTokens: WRITE
msDS-HABSeniorityIndex: WRITE
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: WRITE
msDS-FailedInteractiveLogonCount: WRITE
msDS-LastFailedInteractiveLogonTime: WRITE
msDS-LastSuccessfulInteractiveLogonTime: WRITE
msDS-SupportedEncryptionTypes: WRITE
msDS-PhoneticDisplayName: WRITE
msDS-PhoneticCompanyName: WRITE
msDS-PhoneticDepartment: WRITE
msDS-PhoneticLastName: WRITE
msDS-PhoneticFirstName: WRITE
msPKIAccountCredentials: WRITE
msPKIDPAPIMasterKeys: WRITE
msPKIRoamingTimeStamp: WRITE
msDS-SourceObjectDN: WRITE
msDS-AllowedToDelegateTo: WRITE
mSMQDigests: WRITE
mSMQSignCertificates: WRITE
altSecurityIdentities: WRITE
servicePrincipalName: WRITE
userSharedFolderOther: WRITE
userSharedFolder: WRITE
url: WRITE
otherIpPhone: WRITE
ipPhone: WRITE
userPrincipalName: WRITE
legacyExchangeDN: WRITE
assistant: WRITE
otherMailbox: WRITE
primaryInternationalISDNNumber: WRITE
primaryTelexNumber: WRITE
otherMobile: WRITE
otherFacsimileTelephoneNumber: WRITE
userCert: WRITE
showInAddressBook: WRITE
systemFlags: WRITE
division: WRITE
objectGUID: WRITE
name: WRITE
homePostalAddress: WRITE
language: WRITE
personalTitle: WRITE
formData: WRITE
forwardingAddress: WRITE
replicatedObjectVersion: WRITE
extensionAttribute15: WRITE
extensionAttribute14: WRITE
extensionAttribute13: WRITE
extensionAttribute12: WRITE
extensionAttribute11: WRITE
supportedAlgorithms: WRITE
msExchLabeledURI: WRITE
attributeCertificate: WRITE
internetEncoding: WRITE
protocolSettings: WRITE
dnQualifier: WRITE
enabledProtocols: WRITE
pOPCharacterSet: WRITE
languageCode: WRITE
pOPContentFormat: WRITE
wWWHomePage: WRITE
heuristics: WRITE
mailNickname: WRITE
msExchAssistantName: WRITE
kMServer: WRITE
extensionAttribute10: WRITE
extensionAttribute9: WRITE
extensionAttribute8: WRITE
extensionAttribute7: WRITE
extensionAttribute6: WRITE
extensionAttribute5: WRITE
extensionAttribute4: WRITE
extensionAttribute3: WRITE
extensionAttribute2: WRITE
extensionAttribute1: WRITE
expirationTime: WRITE
mAPIRecipient: WRITE
displayNamePrintable: WRITE
targetAddress: WRITE
folderPathname: WRITE
mDBUseDefaults: WRITE
autoReplyMessage: WRITE
autoReply: WRITE
submissionContLength: WRITE
otherHomePhone: WRITE
mDBOverQuotaLimit: WRITE
mDBStorageQuota: WRITE
importedFrom: WRITE
streetAddress: WRITE
homeMDB: WRITE
deliveryMechanism: WRITE
publicDelegates: WRITE
extensionData: WRITE
replicationSensitivity: WRITE
unauthOrig: WRITE
proxyAddresses: WRITE
deliverAndRedirect: WRITE
homeMTA: WRITE
company: WRITE
dLMemSubmitPerms: WRITE
department: WRITE
delivExtContTypes: WRITE
delivContLength: WRITE
co: WRITE
authOrig: WRITE
altRecipient: WRITE
otherPager: WRITE
deletedItemFlags: WRITE
securityProtocol: WRITE
info: WRITE
telephoneAssistant: WRITE
dLMemRejectPerms: WRITE
otherTelephone: WRITE
dn: WRITE
initials: WRITE
givenName: WRITE
userCertificate: WRITE
preferredDeliveryMethod: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
description: WRITE
title: WRITE
ou: WRITE
o: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE
sn: WRITE
objectCategory: WRITE
cn: WRITE
objectClass: WRITE

@rvazarkar if you need other info to debug the problem let me know

Signum21 avatar Mar 23 '25 19:03 Signum21